Uploaded byIndusfacePvtLtd
4,595 views

OWASP Top 10 API Security Risks

The document outlines the OWASP Top 10 API security risks, including broken authentication, excessive data exposure, and security misconfiguration. It highlights vulnerabilities such as lack of proper filtering, insufficient logging, and risks from brute force attacks. The document emphasizes the importance of securing APIs against these common threats.

Technology
Related topics:
Cybersecurity Threats
In this document
Powered by AI

Introduction to the top 10 APIs security risks as defined by OWASP.

API returns sensitive data due to lack of user authentication, exposing user IDs.

Sensitive data is accessible through credential stuffing and using compromised credentials.

APIs can expose sensitive information without proper filtering, leading to data leaks.

API vulnerabilities arise when there are no restrictions on request rates, promoting brute force attacks.

Users exploit APIs to access unauthorized functions, leading to information access breaches.

Promotion of services for web application and API protection, including trial offers.

API takes user inputs directly, allowing unauthorized access to backend objects via input manipulation.

APIs are vulnerable to attacks due to nonsecure configurations, unprotected files, and verbose error messages.

Attackers manipulate APIs to execute SQL injections, compromising data integrity.

Risk of exploitation through unmanaged staging APIs, emphasizing the need for asset management.

Lack of proper logging and monitoring in APIs results in undetected attacks.

Call to action for scanning and protecting APIs, highlighting various services offered.

Embed presentation

Downloaded 11 times
top10 APISecurityRisks OWASP
APIs without authen�ca�on api/userID/20905 api/userID/20804 BOB John This is when API returns sensi�ve data to a user who doesn’t have permission to access that data 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 API1:2019 Broken Object-Level Authorization
This is when API returns sensi�ve data to a user who doesn’t have permission to access that data A�acker API Endpoints <> <> <> <> <> <> <> <> Uses creden�al stuffing with stolen password database API2:2019 Broken User Authentication
This is when API is designed to expose all sensi�ve data without proper filtering Sam GET /api/userprofile Applica�on Server Database Server { [Name: Sam.. Card No.: 1234 SSN: 709-99-789, Name: John.. Card No.: 5467 SSN: 237-71-567, ...] } 709-99-7890 Sam 1234 5678 9012 3456 DOB 709-99-7890 API3:2019 Excessive Data Exposure
When there is no restric�on on the number of requests made by users, APIs can be vulnerable to brute force and DDoS a�acks ! API4:2019 Lack of Resources & Rate Limiting
GET/accounts/emp1/account_detail GET/accounts/emp2/account_detail Alex A�acker What if i replace emp1 with emp2 and view someone else’s data This is when an API allows users to use HTTP methods to execute func�ons, they are unauthorized to perform API5:2019 Broken Function Level Authorization
Trust us for Web Applica�on and API Protec�on Start your free trial at indusface.com/api
POST/order/coupon ... {”coupon_code”: {”welcome10”, ”welcome10”, ”welcome10”, ...] } 200 OK ... {”Order_value”:”0$”} A�ack Scenario E-Commerce site Normal Scenario POST/order/coupon ... {”coupon_code”:”welcome10”} 200 OK ... {”order_value”:”90$”} E-Commerce site It occurs when an API takes user input directly and maps the values to the backend object models without proper filtering API6:2019 Mass Assignment
An API component is suscep�ble to a�ack due to a nonsecure configura�on op�on Unhardened Images HTTP headers HTTP CORS Open files and folders Verbose errors API7:2019 Security Misconfiguration
A�ackers send malicious data to an API that passes it into the database User A�acker Server Select * from users WHERE userID =’1199’ and password = ‘secretpw’; Select * from users WHERE userID =’1199’ and password = “or 1=1; User ID : Password : API8:2019 Injection
A�ackers may break into the current API by exploi�ng the vulnerability on the staging API if le� unmanaged Beta API Produc�on API API9:2019 Improper Assets Management
It occurs when there are no recording details about auditable events inside an API Properly Set Up Logging New Threat Detected! Insufficient Logging All Good! ATTACK IN PROGRESS My User Name LOG IN Forgot Password API10:2019 Insufficient Logging & Monitoring
Scan & Protect Your APIs Today! API Discovery API Vulnerability Scanning DDoS & Bot Mi�ga�on API Pen Tes�ng Start your free trial at indusface.com/api OWASP Top 10 Protec�on

More Related Content

PDF
OWASP API Security Top 10 - API World
by42Crunch
 
PPTX
API Security Fundamentals
byJosé Haro Peralta
 
PDF
OWASP API Security Top 10 Examples
by42Crunch
 
PDF
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
PDF
API Testing and Hacking (1).pdf
byVishwas N
 
PPTX
Getting Started with API Security Testing
bySmartBear
 
PDF
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
PDF
API Security Best Practices & Guidelines
byPrabath Siriwardena
 
OWASP API Security Top 10 - API World
by42Crunch
 
API Security Fundamentals
byJosé Haro Peralta
 
OWASP API Security Top 10 Examples
by42Crunch
 
Hacking and Defending APIs - Red and Blue make Purple.pdf
byMatt Tesauro
 
API Testing and Hacking (1).pdf
byVishwas N
 
Getting Started with API Security Testing
bySmartBear
 
Peeling the Onion: Making Sense of the Layers of API Security
byMatt Tesauro
 
API Security Best Practices & Guidelines
byPrabath Siriwardena
 

What's hot

PDF
Api security-testing
byn|u - The Open Security Community
 
PPTX
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
PPT
OWASP Top Ten
byChristian Heinrich
 
PPTX
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
PPTX
Owasp top 10 vulnerabilities
byOWASP Delhi
 
PDF
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
PPTX
OWASP Top 10 2021 What's New
byMichael Furman
 
PPTX
security misconfigurations
byMegha Sahu
 
PDF
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
PPT
Secure code practices
byHina Rawal
 
PPTX
Owasp
bypenetration Tester
 
PDF
API Vulnerabilties and What to Do About Them
byEoin Woods
 
PPTX
Vulnerable_and_outdated_components_suman.pptx
bySuman Astani
 
PDF
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
PDF
Web application security & Testing
byDeepu S Nath
 
PPT
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
PDF
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
byLenur Dzhemiliev
 
ODP
OWASP Secure Coding
bybilcorry
 
PPTX
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
PPTX
Secure coding practices
byMohammed Danish Amber
 
Api security-testing
byn|u - The Open Security Community
 
OWASP TOP 10 VULNERABILITIS
byNull Bhubaneswar
 
OWASP Top Ten
byChristian Heinrich
 
OWASP Top 10 2021 Presentation (Jul 2022)
byTzahiArabov
 
Owasp top 10 vulnerabilities
byOWASP Delhi
 
Checkmarx meetup API Security - API Security top 10 - Erez Yalon
byAdar Weidman
 
OWASP Top 10 2021 What's New
byMichael Furman
 
security misconfigurations
byMegha Sahu
 
OWASP API Security Top 10 - Austin DevSecOps Days
by42Crunch
 
Secure code practices
byHina Rawal
 
Owasp
bypenetration Tester
 
API Vulnerabilties and What to Do About Them
byEoin Woods
 
Vulnerable_and_outdated_components_suman.pptx
bySuman Astani
 
OWASP Top 10 Web Application Vulnerabilities
bySoftware Guru
 
Web application security & Testing
byDeepu S Nath
 
Top 10 Web Security Vulnerabilities (OWASP Top 10)
byBrian Huff
 
OWASP Top 10 Vulnerabilities - A5-Broken Access Control; A6-Security Misconfi...
byLenur Dzhemiliev
 
OWASP Secure Coding
bybilcorry
 
Secure Coding 101 - OWASP University of Ottawa Workshop
byPaul Ionescu
 
Secure coding practices
byMohammed Danish Amber
 

Similar to OWASP Top 10 API Security Risks

PDF
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
PPTX
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
PDF
Top 10 OWASP API Security Threats
byWSO2
 
PDF
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 
PDF
API Security Best Practices and Guidelines
byWSO2
 
PDF
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
PDF
Enhancing your Security APIs
byApigee | Google Cloud
 
PDF
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
PDF
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
PPTX
How-to-Secure-APIs-to-Defend-Against-Emerging-Cyber-Threats-to-Digital-Web-As...
bykhalidmohammedfci
 
PPTX
2022 APIsecure_Go Hack Yourself: API Hacking for Beginners
byAPIsecure_ Official
 
PDF
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
PDF
Akamai_ API Security Best Practices - Real-world attacks and breaches
bySecurity Bootcamp
 
PDF
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
PDF
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
PDF
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
PDF
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
PDF
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
PPTX
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
PDF
HowYourAPIBeMyAPI
byJie Liau
 
Keamanan Digital dan Privasi di Masa Pandemi-Taro Lay (Director-Kalama Cyber)
byDicodingEvent
 
apidays Paris 2024 - Layered Approach of API Security Strategies and its Busi...
byapidays
 
Top 10 OWASP API Security Threats
byWSO2
 
Api economy and why effective security is important (1)
byIndusfacePvtLtd
 
API Security Best Practices and Guidelines
byWSO2
 
2022 apidays LIVE Helsinki & North_Future proofing API Security
byapidays
 
Enhancing your Security APIs
byApigee | Google Cloud
 
Guidelines to protect your APIs from threats
byIsabelle Mauny
 
apidays Australia 2023 - API Security Breach Analysis & Empowering Devs to M...
byapidays
 
How-to-Secure-APIs-to-Defend-Against-Emerging-Cyber-Threats-to-Digital-Web-As...
bykhalidmohammedfci
 
2022 APIsecure_Go Hack Yourself: API Hacking for Beginners
byAPIsecure_ Official
 
APIdays Paris 2019 - API Security Tips for Developers by Isabelle Mauny, 42Cr...
byapidays
 
Akamai_ API Security Best Practices - Real-world attacks and breaches
bySecurity Bootcamp
 
apidays LIVE Paris 2021 - Addressing OWASP API Security Top 10 by Isabelle Ma...
byapidays
 
apidays LIVE LONDON - Protecting financial-grade APIs - Getting the right API...
byapidays
 
apidays LIVE Paris - Protecting financial grade API: adopting the right secur...
byapidays
 
What Is API Security? Threats, Tools, and Best Practices in 2025 | USCSI®
byUnited States Cybersecurity Institute (USCSI®)
 
Common Security API Issues and How to Mitigate Them Using Postman
byPostman
 
Building better security for your API platform using Azure API Management
byEldert Grootenboer
 
HowYourAPIBeMyAPI
byJie Liau
 

More from IndusfacePvtLtd

PDF
API7:2019 Security Misconfiguration
byIndusfacePvtLtd
 
PDF
Indusface and CARTA Whitepaper
byIndusfacePvtLtd
 
PDF
AppTrana Competency Matrix for OWASP Top 10
byIndusfacePvtLtd
 
PDF
AppTrana SECaaS (Security as a Service)
byIndusfacePvtLtd
 
PDF
Why Manual Pen-Testing is a must have for comprehensive application security ...
byIndusfacePvtLtd
 
PDF
10 Types of Cybersecurity Attacks
byIndusfacePvtLtd
 
PDF
Why Startups Need to Strengthen Application Security
byIndusfacePvtLtd
 
PDF
True Cost of Ransomware to Your Business
byIndusfacePvtLtd
 
PDF
8 Key Considerations in Choosing the Right WAF
byIndusfacePvtLtd
 
PDF
5 Effective Ways for Website Protection
byIndusfacePvtLtd
 
PDF
5 Top Cyber Threats That Will Ruin Your Business
byIndusfacePvtLtd
 
API7:2019 Security Misconfiguration
byIndusfacePvtLtd
 
Indusface and CARTA Whitepaper
byIndusfacePvtLtd
 
AppTrana Competency Matrix for OWASP Top 10
byIndusfacePvtLtd
 
AppTrana SECaaS (Security as a Service)
byIndusfacePvtLtd
 
Why Manual Pen-Testing is a must have for comprehensive application security ...
byIndusfacePvtLtd
 
10 Types of Cybersecurity Attacks
byIndusfacePvtLtd
 
Why Startups Need to Strengthen Application Security
byIndusfacePvtLtd
 
True Cost of Ransomware to Your Business
byIndusfacePvtLtd
 
8 Key Considerations in Choosing the Right WAF
byIndusfacePvtLtd
 
5 Effective Ways for Website Protection
byIndusfacePvtLtd
 
5 Top Cyber Threats That Will Ruin Your Business
byIndusfacePvtLtd
 

Recently uploaded

PDF
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
PDF
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
PDF
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
PDF
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
PDF
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
PDF
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
PDF
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
PPTX
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
PDF
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
PDF
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
PDF
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
PDF
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
PDF
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
PPTX
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
PPTX
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
PDF
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
PDF
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
PDF
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 
Raj Jain, Recent Advances, Issues, and Challenges in Cybersecurity, Keynote a...
byrjain51
 
November 2025 OpenMetadata Community Spotlight - Astronomer & Airflow 3
byOpenMetadata
 
Building a Multi-Tenant OpenShift Platform with HyperShift
byTosin Akinosho
 
IDSECCONF2025 - Rama Tri Nanda - Hunting Stingray GSM on Budget.pdf
byidsecconf
 
MINDCTI Revenue Release Quarter 3 2025 - Financial Presentation
byMIND CTI
 
LVM Management and Disaster Recovery.pdf
byLinuxCert Guru
 
Command Line Text Processing - RHCSA +.pdf
byLinuxCert Guru
 
Streamlining Business Processes with UiPath Apps
byTracy Dixon
 
Beyond Basics: How to Build Scalable, Intelligent Imagery Pipelines
bySafe Software
 
Supercharging Android Apps with On-Device AI: Gemini Nano
bydinoykraj
 
IDSECCONF2025 - Faisal Ilham - Semi Automating Vulnerability Scanner and Expl...
byidsecconf
 
IDSECCONF2025 - Aan Wahyu - Maze–Malware Analysis Platform.pdf
byidsecconf
 
Oracle MySQL HeatWave - Complete - Version 3
byLuca Bonesini
 
oop pillor polymorphism Code Presentation
byhifzamahmood8
 
Understanding the digital experience of FE teaching staff in 2024/25
byJisc
 
AWS Cloud Technical Essentials - AWS Certificate
byVICTOR MAESTRE RAMIREZ
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
AI in Food Production (Foodwell) - AI Solutions Supporting Operations
bybyteLAKE
 
UiPath DevConnect 2025: UiPath ScreenPlay - The Future of Human-Like Automation
byDianaGray10
 
How to Spot a Fraudulent Shopping Website
byAshwini Singh
 

OWASP Top 10 API Security Risks

  • 1.
  • 2.
    APIs without authen�ca�on api/userID/20905 api/userID/20804 BOB John This iswhen API returns sensi�ve data to a user who doesn’t have permission to access that data 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 API1:2019 Broken Object-Level Authorization
  • 3.
    This is whenAPI returns sensi�ve data to a user who doesn’t have permission to access that data A�acker API Endpoints <> <> <> <> <> <> <> <> Uses creden�al stuffing with stolen password database API2:2019 Broken User Authentication
  • 4.
    This is whenAPI is designed to expose all sensi�ve data without proper filtering Sam GET /api/userprofile Applica�on Server Database Server { [Name: Sam.. Card No.: 1234 SSN: 709-99-789, Name: John.. Card No.: 5467 SSN: 237-71-567, ...] } 709-99-7890 Sam 1234 5678 9012 3456 DOB 709-99-7890 API3:2019 Excessive Data Exposure
  • 5.
    When there isno restric�on on the number of requests made by users, APIs can be vulnerable to brute force and DDoS a�acks ! API4:2019 Lack of Resources & Rate Limiting
  • 6.
    GET/accounts/emp1/account_detail GET/accounts/emp2/account_detail Alex A�acker What if ireplace emp1 with emp2 and view someone else’s data This is when an API allows users to use HTTP methods to execute func�ons, they are unauthorized to perform API5:2019 Broken Function Level Authorization
  • 7.
    Trust us for WebApplica�on and API Protec�on Start your free trial at indusface.com/api
  • 8.
    POST/order/coupon ... {”coupon_code”: {”welcome10”, ”welcome10”, ”welcome10”, ...] } 200 OK ... {”Order_value”:”0$”} A�ack Scenario E-Commercesite Normal Scenario POST/order/coupon ... {”coupon_code”:”welcome10”} 200 OK ... {”order_value”:”90$”} E-Commerce site It occurs when an API takes user input directly and maps the values to the backend object models without proper filtering API6:2019 Mass Assignment
  • 9.
    An API componentis suscep�ble to a�ack due to a nonsecure configura�on op�on Unhardened Images HTTP headers HTTP CORS Open files and folders Verbose errors API7:2019 Security Misconfiguration
  • 10.
    A�ackers send maliciousdata to an API that passes it into the database User A�acker Server Select * from users WHERE userID =’1199’ and password = ‘secretpw’; Select * from users WHERE userID =’1199’ and password = “or 1=1; User ID : Password : API8:2019 Injection
  • 11.
    A�ackers may breakinto the current API by exploi�ng the vulnerability on the staging API if le� unmanaged Beta API Produc�on API API9:2019 Improper Assets Management
  • 12.
    It occurs whenthere are no recording details about auditable events inside an API Properly Set Up Logging New Threat Detected! Insufficient Logging All Good! ATTACK IN PROGRESS My User Name LOG IN Forgot Password API10:2019 Insufficient Logging & Monitoring
  • 13.
    Scan & ProtectYour APIs Today! API Discovery API Vulnerability Scanning DDoS & Bot Mi�ga�on API Pen Tes�ng Start your free trial at indusface.com/api OWASP Top 10 Protec�on